A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Malfunction's Functions : Automated Static Malware Analysis using Function Level Signatures - Matthew Rogers Jeramy Lochner Derbycon 2015 (Hacking Illustrated Series InfoSec Tutorial Videos)

Malfunction's Functions : Automated Static Malware Analysis using Function Level Signatures
Matthew Rogers Jeramy Lochner
Derbycon 2015

Standard antivirus is frequently and easily bypassed by malware custom-written for an attack. Fortunately, malware authors are surpassed in laziness only by college students confronted with homework. Code re-use by Advanced Persistent Threats (APTs) gives us a chance to detect and identify never-before-seen malware. This talk is a summary of an experimental malware detection and analysis method developed by interns at Dynetics, Inc. Their solution differs from traditional methods in that malware signatures are unique to an assembly-language function, not a file, and that the signature generation uses context-triggered piecewise hashing (fuzzy hashing) instead of traditional absolute hashing algorithms such as MD5. The team created software called Malfunction that implements these methods. Preliminary tests indicate that it is capable of identifying the author of a malware sample by comparing it to known malware from that author, showing promise as both a detection tool as well as a forensics toolkit. While similar tools have been made before, none have done so on function basis while providing a percentage chance of a file being malicious

Matthew Rogers and Jeramy Lochner are Freshman at Auburn University who are both Software Engineers doing Cyber Security research. They are national champions of Cyber Patriot, and have been doing malware analysis as interns at Dynetics.

Back to Derbycon 2015 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2016, IronGeek
Louisville / Kentuckiana Information Security Enthusiast